System and method for delegated authentication and authorization

ABSTRACT

The present invention provides a method for providing services to a presentation device. The method comprises detecting a service delivery module in a communication system using a communication device and performing an authentication and authorization session between the service delivery module and the communication device, wherein user authentication and authorization is created. The method further comprises connecting to a service information module in said communication system to access services; providing a service request from said communication device to said service information module and initiating a service delivery session with said service information module using said user authentication and authorization information and said service request. Moreover, the method comprises delivering at least one service to said presentation device based on said service request. The present invention further provides a communication system for providing at least one service to a presentation device.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation, and claims the benefit under 35U.S.C. §120, of U.S. patent application Ser. No. 13/720,726, filed onDec. 19, 2012, and entitled “SYSTEM AND METHOD FOR DELEGATEDAUTHENTICATION AND AUTHORIZATION,” which application is incorporatedherein by reference in its entirety.

TECHNICAL FIELD OF THE INVENTION

The present invention relates to a method and system for mobile phonebased delegated authentication and authorization for service delivery.

BACKGROUND ART

Services on the internet may be accessed from various devices, such ascomputers, mobile phones and televisions, such as in smart TV and IPTVtechnology. As an example, Video on Demand (VOD) or Audio and Video onDemand (AVOD) services allow users to select and watch/listen to videoor audio content when the user has a demand or need to consume theservice. IPTV or Internet TV technology may then be used to bring videoon demand to televisions and personal computers. Television VOD systemsmay stream the content, thereby allowing viewing in real time, or theymay allow download the video or audio content to e.g. a computer orportable media player for viewing at any time.

Accessed services typically use authenticate and authorize of a user bymeans of a log-in, e.g. using a specific username and password for eachuser, and connect this log-in to billing mechanisms such as creditcards.

However, this inter alia requires storing of credentials in severaldevices (TV:s, computers etc) for auto-log, which may be a securityissue and a lot of identification information (usernames, passwords) tokeep track of. Further, existing solutions often require credit cardnumbers to be entered and stored in service provider's databases.

Moreover, hand-over of an ongoing session between platforms and networksmay be a problem, especially if the networks are open and if thepresentation devices used for rendering the services are not integratedwith the same accounting and service delivery platforms. Thus, it may bedifficult to re-route traffic in a service flow between differentpresentation devices, peers, without further authentication andauthorization information from the user as the session is anchoredbetween the server a peer. Further, at handover between e.g. a TV and amobile phone, it may also be difficult to seamlessly re-adapt theservice in terms of e.g. bit rate and properties of the media content(resolution etc).

In addition to video and audio services (streaming, progressive downloador download) there is a range of other services also suffering frominconvenient authentication and authorization. Example services arestorage services, web pages requiring log in, surveillance services andcommunication services.

Thus, there is a need in the art for improved systems and methods forproviding internet and so called Cloud services to a user in anefficient and user-friendly way facilitating the user to consumeservices across different presentation platforms, but still with highlevel of integrity and security.

SUMMARY OF THE INVENTION

It is an object of the present invention to provide a system and methodfor communication device, such as a mobile phone, based delegatedauthentication and authorization for service delivery.

As a first aspect of the invention, there is provided a method forproviding services to a presentation device, the method comprising

-   -   detecting a service delivery module in a communication system        using a communication device;    -   performing an authentication and authorization session between        the service delivery module and the communication device,        wherein user authentication and authorization is created;    -   connecting to a service information module in the communication        system to access services;    -   providing a service request from the communication device to the        service information module;    -   initiating a service delivery session with the service        information module using the user authentication and        authorization information and the service request; and    -   delivering at least one service to the presentation device based        on the service request.

According to another aspect of the present invention, there is provideda system for providing at least one service to a presentation device viaa communication system. The system comprises a service delivery moduleconfigured to initiate an authentication and authorization session witha communication device and to initiate a service session with a serviceinformation module and a service information module comprising the atleast one service and being configured to deliver the service to atleast one presentation device configured to consume or render theservice.

According to another aspect of the present invention, there is provideda method for provided services in a system including a service controlclient that is authenticated and authorized of one or multiple servicesfrom the service provider, typically being implemented in acommunication device e.g. a SIM authenticated mobile device, the methodcomprising:

-   -   the service control client detecting a service delivery module        in a communication system using a communication device;    -   performing an authentication and authorization session between        the service delivery module and the communication device,        wherein user authentication and authorization is created;    -   the service control client in a communication device connecting        to a service information module in the communication system to        access services;    -   providing a service request from the communication device to the        service information module;    -   the service information module generating a unique service or        session and user key and provide this to the communication        device and service control client using authenticated and secure        means    -   the service control client retrieving the key form the service        information module and sending the key, and possibly additional        user or presentation relevant information, to a authenticated        and selected service delivery module    -   service delivery module initiating a service delivery session        with the service information module using the user        authentication and authorization information and key and the        service request; and    -   delivering at least one service to the presentation device based        on the service request.

According to a further aspect of the present invention, there isprovided a system for providing at least one service to a presentationdevice via a communication system. The system comprises a servicedelivery module configured to initiate an authentication andauthorization session with a communication device and to initiate aservice session with a service information module and serviceinformation module comprising the at least one service and beingconfigured to deliver the service to at least one presentation deviceconfigured to consume or render the service.

According to a specific aspect of the present invention, there isprovided system including a communication device configured to comprisea service control client that is authenticated and authorized of one ormultiple services from the service provider and configured to detect theservice delivery module using the service control client, wherein anauthentication and authorization session between the service deliverymodule and the communication device, wherein user authentication andauthorization is created, is performed. Further, the service controlclient being configured to connect to the service information module inthe communication system to access services. The service informationmodule generating a unique service or session and user key and providethis to the communication device and service control client usingauthenticated and secure means upon receiving a service request from thecommunication device, wherein the service control client is configuredto retrieve the key form the service information module and to send thekey to a authenticated and selected service delivery module, wherein theservice delivery module is configured to initiate a service deliverysession with the service information module using the userauthentication and authorization information and key and the servicerequest and to deliver at least one service to the presentation devicebased on the service request.

The methods and systems according to the present invention areadvantageous in that they provides for authenticated and authorizedservices to be accessed and delivered through non-authenticated andauthorized devices, such as a TV, without additional log-in orauthentication procedures. In other words, the present inventionprovides means for how a service provider can use unauthenticatedplatforms for service rendering and delivering of secure authenticatedservice by using e.g. a mobile phone to authenticate the platform peers.

Consequently, the presentation device, such as a TV, may not in itselfhave to be connected to the service information module, but may only beconfigured to receive the service via the service delivery module.Consequently, the service, such as video and audio content, does nothave to be delivered or streamed via the communication device, such as amobile phone used for authentication and authorization, to thepresentation device, but may be delivered directly to the presentationdevice. Thus, the delivered service may be optimized, e.g. in terms ofresolution of a video service, depending on the presentation device anddoes not have to be dependent on the preferences/performance of thecommunication device. Also, the limited resources of the communicationdevice in terms of network connection, battery capacity and processingpower is saved and does not introduce a bottle neck in the delivery ofthe service.

The concept of the present invention allows for combining mobile networktechnologies for authentication with secure local networkauthentications to allow service delivery to peering devices such ascustomer provided equipment (CPE).

The communication device may for example be a mobile telephone, such asa “smart”-phone. The communication device may further be any type ofwireless transmit/receive unit, such as mobile subscriber units, pager,personal digital assistance or computer.

In embodiments of the first and second aspects, the communication systemis a wireless communication system. Thus, the communication system maycomprise a wireless network.

The communication system and the services may also be realized as cloudnetwork and may use an open network such as Internet for service access.

In embodiments of the first and second aspects, the presentation deviceis also connected to the communication system.

Thus, the presentation device may be wirelessly connected to thecommunication system, such that the service may be wirelessly deliveredto the presentation device. However, the presentation device may also beconnected via cable to e.g. the service delivery module.

As an example, the presentation device may be a TV, such as a smart TV.

Further, the presentation device may be customer provided equipment(CPE) with capacity to consume or render the service.

A CPE refers to equipment located at e.g. a within a subscriber'spremises and connected to the demarcation point (“demarc”). The demarcis the connection at which the public switched telephone network orbroad band network ends and connects with the subscribers/customersdistribution infrastructure, such as a Local area network (LAN).

A CPE generally refers to devices such as telephones, routers, switches,residential gateways (RG), set-top boxes, game consoles, computers,fixed mobile convergence products, home networking adaptors and internetaccess gateways that enable consumers to access services and distributethem around their house via a LAN (Local Access Network).

The CPE may both be a device purchased by the subscriber and/or providedby the operator or service provider.

A service provider refers to a company or organization that provides theservices being own services, partnered, retailed or brooked.

Furthermore, the presentation device may be the communication device.Thus, the service may be delivered to the communication device, such asthe telephone, used to authenticate and authorize the user/subscriber.In other words, services may be consumed directly through e.g. themobile phone.

In embodiments of the first or second aspect, the presentation device isan un-authenticated presentation device. Hence, it is not required thatthe user/subscriber to the service is authenticated or logged-in via thepresentation device for consuming the service.

As an example, the presentation device and the communication device maybe connected to the same local fixed or wireless network orRadio-frequency identification (RFID) system.

By having a relation between the communication device and thepresentation device, e.g. both being connected to the same localnetwork, further facilitates for the service session, authorized via thecommunication device, to be transferred to the presentation device.Thus, there may be a spatial condition fulfilled (the devices beingconnected to the same local network) for the service to be delivered tothe presentation device)

Furthermore, the presentation device and the service delivery managermay be connected to the same local network.

Such a network may be realized e.g. by wired connection, secure wirelessnetwork, secure virtual network (tunneling). Such a local area networkor private network usually provides integrity to a satisfying level.

In embodiments of the present invention, the service delivery modulecomprises a microprocessor and network connectivity, such as a router, amedia server or a network access server (NAS).

Thus, the service delivery module may function as gateway equipmentconfigured to, in interaction with the communication device, manage theestablishment and maintain a service connection to services in thenetwork. The service delivery module may be further configured to handlemore than one service session simultaneously.

In embodiments of the present invention, the service information modulecomprises service front ends.

Service front ends may thus be the services frontend logics in thenetwork.

Further, the service information module may comprise a centralizedelement functioning as a common communication element for the servicefront ends in communication with the service delivery module.

The centralized element may thus function as a centralized service,session and user management element that may be used as a commonfunction instead of implementing such functionality within eachindividual service front end.

As an example, the at least one service may comprise a media service,such as video and audio service, a communication service and/or storage.

In embodiments of the present invention, the authentication andauthorization session between the service delivery module and thecommunication device is performed by means of SIM or PIN-code basedauthentication. The SIM or PIN code based authentication may be eitherdirect in the sense that a SIM or PIN challenge in the authenticationprocedure, or indirectly by performing the authentication procedure on adevice or platform that has is SIM or PIN code authenticated with theservice provider network while the authentication session between theauthenticated communication device and the service delivery module usesanother authentication method with satisfying integrity and security.

A personal identification number (PIN), refers to a numeric passwordshared between a user and the communication device that can be used toauthenticate the user.

The SIM (subscriber identification module) of the communication device,e.g. the integrated SIM-circuit of a mobile phone, that stores theInternational Mobile Subscriber Identity (IMSI) and related key/passwordused to identify and authenticate the user of the communication device,may also be used for authentication and authorization. Theauthentication may include a step including a SIM card PIN-codechallenge, i.e. a procedure where the SIM card is authenticated to themobile network. The SIM may be embedded in the SIM card, which is forstoring network-specific information used to authenticate and identifysubscribers on the network.

The authentication procedure may differ depending on the specificaccount type. According to the present invention, a non-exhaustive listof account types includes administrator, owner/billing, user, and guest.Further the authentication procedure may also differ depending on thespecific service that has been authorized. It may also be based onpolicies and preferences set by the owner/billing or administratoraccount.

While some authentication and authorization sequences may use a strongmethod, a method with a high security level, combining multiple steps,other may only include one or a few steps, which may be only a softwarelogin or using stored keys (service unique or to the network) in theclient. An example is to authenticate and authorize a user based on thathe/she is authenticated on the same local network (e.g. WLAN) and has aknown identity.

In embodiments of the present invention, the method is furthercomprising linking the authentication and authorization information tobilling mechanisms for the at least one service.

According to embodiments of the present invention, the authenticationmay be for one particular transaction or session, or the SDM may beprovided with a authenticated key that are valid for a defined number oftransactions or for a defined time (e.g. 4 hours or 30 days). Details ofthe validity and how to use the credentials are provided to the SDM fromthe SCC.

A service may also be initiated or controlled by another device, e.g. aPC with a browser connected to the SDM but not using a SCC, if so isallowed by the service policies. If so, authentication of service orparticular content or functionality within the service, may initiateauthentication procedure with the SCC that has the authorities toapprove the request, typically being the owner or billing account of theservice. An example is a video service initiated from a browser or a TV,but where the request to the policy function or directly to the videoserver triggers an authentication message to the service account ownertypically, but not necessary, on an authenticated communication meansuch as SMS.

The billing mechanisms may for example be credit card numbers,subscription with service provider, internet payment account etc. Thus,the information used for authentication and authorization may also beused by the service provider for automatically billing theuser/subscriber of the service. Thus, no further identification orbilling procedures may be needed for delivering the service to the user.As an example, a billing relation between a mobile network operator or amobile virtual network operator may be used for billing of the services.This relation may also be used if the service is transferred from onepresentation device to another.

In embodiments of the present invention, the method comprises presentingavailable service presentation devices for the communication device.

As an example, after authentication and authorization, the servicedelivery module may present information to the communication deviceabout available presentation devices. The user of the communicationdevice may then select which device the service is to be delivered to,or this is automatically selected by previously configured preferences.

The method of the present invention may further comprise transferringthe stream of the at least one service to another presentation devicebased on a further service request from the communication device.

Thus, this allows the user of the communication device to transfer e.g.video, audio or communication session or content, or access to a cloudstorage service, from one presentation device to another, e.g. from oneTV to another or from the TV to the mobile phone or vice versa. Themethod and system of the present invention facilitates seamless handoverof services between devices, also when one or more of the devices areunauthenticated to the service provider.

In embodiments of the present invention, the method comprises adaptingthe at least one service before delivery to the at least onepresentation device based on the service rendering capabilities of thepresentation device.

As an example, the service delivery module may adapt the servicedepending on the selected presentation device, e.g. by incorporatinginformation about rendering capabilities of the selected presentationdevice in the service request to the service information module.Consequently, the service may be optimized for the presentation deviceselected by the user.

In embodiments of the present invention, detecting a service deliverymodule is preceded by searching for available service delivery modules.

Thus, the communication device implementing the SCC may perform acontinuous search, or a search according to Service Providerinstructions, for available delivery modules. When a SCC equippedcommunication device detects a new SDM, a procedure may be started whereeither a new owner and billing account is created in the SDM if there isno such account exists, or another account type is created.

According to embodiments of the present invention, new accounts may beuser accounts (permanent accounts of e.g. family members or other usersthat are allowed to use the provisioned services) or guest accounts(temporary accounts that have restricted access to services but who mayalso have own services that can be rendered using the SDM).

A non-exhaustive list of example account types include:

Admin: Administrator account where preferences of the SDM and attacheddevices are managed

Owner/Billing account: Account that manages services provided by theService Provider that are billed for and sets policies for how theseservices may be used by Users and Guests.

User: Authenticated accounts used for consuming services

Guest: Account valid for a configurable period with typically limitedaccess to the services of the Owner, but also access to his own servicesto the extent defined by policies set by Owner.

In other embodiments of the present invention, the communication devicehas not previously been authorized to use the service delivery module.

As an example, the authentication and authorization session between theservice delivery module and the communication device may then compriseinitiating a guest mode session between the service delivery module andthe communication device, wherein the guest mode comprises receivingauthorization information from the owner of the service delivery module.A Guest may use the visiting SDM to consume and present servicesassociated with this account with the Service Provider, but also via thevisiting SDM create a connection on his own SDM.

Thus, there may be a procedure involving the owner of e.g. a securelocal network to which the presentation device is connected before thecommunication device discovers the SDM and becomes authorized to consumethe services using the presentation device

Furthermore, in embodiments of the first and second aspect, userauthentication and authorization between the communication device andthe service delivery module is the same as, or re-uses indirectly, theuser authentication and authorization between the communication deviceand a mobile network in which the communication device is configured tooperate.

Thus, the authentication and authorization of the communication deviceto the mobile network may be used for authentication with the servicedelivery module as the service provider may use the authenticated meansto communicate with the communication device implementing the SCC todeliver authentication details to use when authentication the SDM. Thismeans that the trusted PIN or SIM authentication used for the mobilenetwork connection between e.g. a mobile phone and a network operatormay be used for authentication and authorization with the servicedelivery module by having the following authentication and authorizationprocedure implemented on a connection that is authenticated (e.g. byusing SMS).

The service delivery module may have the same owner as the mobilenetwork.

In embodiments of the first and second aspect of the invention, theservice request comprises a service key comprising user data, sessionidentification and/or session information.

The user data may for example comprise service accounts associated withthe mobile device

The session information may for example comprise where to start in thestream, preferences of the video or audio etc.

In embodiments of the first and second aspect of the invention, theservice request comprises service location and/or the address to theservice information module.

The location and/or address may be an internet location, e.g. comprisingan URL that constitutes a reference to an internet resource from whichservices may be reached.

The service request from the communication device to the serviceinformation module may be provided by the communication device directly,or may be provided via the service delivery module.

Further objects and advantages of the present invention will bediscussed below by means of exemplifying embodiments.

These and other features, aspects and advantages of the invention willbe more fully understood when considered with respect to the followingdetailed description, appended embodiments and accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings are not necessarily drawn to scale and illustrategenerally, by way of example, but no way of limitation, variousembodiments of the present invention. Thus, exemplifying embodiments ofthe invention are illustrated by way of example and not by way oflimitation in the figures of the accompanying drawings in which likereferences indicate similar elements. It should be noted that referencesto “an” or “one” embodiment in this discussion are not necessarily tothe same embodiment, and such references mean at least one.

FIG. 1 shows a schematic drawing of a communication system.

FIG. 2 shows an overview of the method for delivering a service to apresentation device.

FIG. 3 shows a detailed overview of how signalling may be performed inthe communication system.

FIG. 4 shows an overview of an embodiment of the method for delivering aservice to a presentation device

DETAILED DESCRIPTION OF THE INVENTION

As used herein, the term “module” refers to an application specificintegrated circuit (ASIC), an electronic circuit, a processor (shared,dedicated, or group) or memory that execute one or more softwareprograms, a combinational logic circuit, or other suitable componentsthat provide the described functionality. The term “module” may furtherrefer to a specific form of software necessary to practice the methodsdescribed herein and particularly the functions described in connectionwith each specific “module”. It is believed that the particular form ofsoftware will be determined primarily by the particular systemarchitecture employed in the device and by the particular detection andtherapy delivery methodologies employed by the device. Providingsoftware to accomplish the described functionality in the context of anymodern communication device, given the disclosure herein, is within theabilities of the person skilled within the art.

Method Overview

FIG. 2 shows an overview of the steps that may be performed within thecommunication system. It is to be understood that the steps do notnecessarily have to be performed in the order presented in FIG. 2. Acommunication device, such as a mobile phone, may search 200 for anyavailable service delivery modules and e.g. when in a specific area orrange from a module, detect 201 such a service delivery module. Anauthentication and authorization session is initiated and performed 202between the communication device and the service delivery module, whichmay involve the user of the communication device to enter e.g. a PINcode, a password or exchanging credentials stored in the communicationdevice or provided without need of customer interaction form the serviceprovider. Such a session may be initiated either from the deliverymodule or from the communication device. If the SDM is a SDM with yet noowner account created, this will be performed typically initiated by thecommunication device implementing the SCC. Once the user/subscriber hasbeen authenticated, billing mechanisms may be linked 204 to the specificuser or communication device. If the communication device is previouslyunknown to the delivery module while the delivery module already hasprovisioned owner/billing account and the new SCC is a client added as auser account, a guest session may be initiated 203, which e.g. mayrequire further authorization from the owner account of the deliverymodule or/and the owner of the wireless network in which the deliverymodule operates before any service sessions are initiated.

Available services, typically being the services provided by the serviceprovider, may be presented 205 to the user in the communication deviceimplementing the SCC. Services may also be presented to device connecteddirectly with the SDM, e.g. in a browser, if it is services that isavailable to consume or initiate from other devices than the deviceimplementing the SCC. Further, available presentation devices may bepresented 206 to the user. Services and presentation modules may bepresented by the delivery module for the communication device. As anexample, a list of available media services and available TV:s, musicequipment, game consoles or other presentation devices may be presentedfor the user on the mobile phone, and the user may then select thesuitable presentation device to which service is to be delivered.

The service delivery module and/or the communication device may thenconnect 207 to a service information module, realised e.g. in a serveror a cloud network. A service request containing e.g. type of serviceand service location as well as information used to associate therequest with the user and eventual session or accounts if needed isprovided 208 to the service information module. The service may then beadapted 209 depending e.g. on user input and the rendering capabilitiesof the selected presentation device. As an example, the resolution of avideo service may be adapted depending on the selected presentationdevice.

A service delivery session is then initiated 210 between the serviceinformation module and the service delivery module, and the service isdelivered 211 to the selected presentation device.

As a response to e.g. input from the user, the service stream may betransferred to another presentation device, e.g. transferred 212 fromone TV to another.

System Components and Software

One of the fundamental ideas is that a communication device, e.g. acustomer's mobile phone, is the primary interaction device is set up orinitiated, authenticated and authorized. A system for realising themethod is schematically shown in FIG. 1.

The communication system 1 has a number of main functional componentsthat may entirely be controlled by or with software componentscontrolled by the service provider. Functionalities in the components ofthe communication system 1 may be centralized and implemented instand-alone, possibly shared, network elements.

A communication device 2, such as a smart phone with a SIM authenticatedunit, representing the users authenticated and authorized relation withthe mobile network (or mobile virtual network operator) operator. Themobile network operator may be the same or partner with the provider ofthe services as well as the platform where services can and areinteracted with through web interfaces. The communication device 2 isthus the mobile device where the user is authenticated and authorized toservices.

The service delivery module 3 is a service gateway equipment includingsoftware configured to, in interaction with communication device 2,manage the establishment and maintain a service connection to theservice(s) in the network. The service delivery module 3 may beimplemented in a router, media server, computer, game console, NAS orother device with microprocessor and network connectivity capable ofmeaning one or multiple connections and sessions as well as the servicedelivery manager software.

The services are realised in a service information module 4. 4 a is theservices frontend logics in the network, which may be e.g. content andmedia services (video, music, web), communication services, storage. Theservice information module may further comprises a centralized element5, which function as a centralized service, session and user managementelement that may be used as a common function instead of implementedsuch functionality within each individual service front end 4 a.

The service information module 4 may thus be or function as a serverrepresenting the service provider own service infrastructure (typicallya cloud service) of own application servers and front ends or front endsby partner provided services and applications.

Presentation devices 6 are equipment connected to the network and usedto render one or multiple services realized in the network (“cloud”).One or several of the presentation devices 6 may be a CPE that are tosome extension known and recognized by the service delivery manager andpresented as presentation options to the SCC and the application used tocontrol it in the communication device, e.g. the mobile phone.

In addition to the system components described above, there are multiplenetworks and network elements, and various networks connecting thecomponents with each other and internet.

9 represents a network connection to the presentation devices 6 used toconsume/render the services provided via the service delivery module 3.This network connection is typically a Local Area or Private Networkthat provides integrity to a relevant level. This can be either asresult of physical availability e.g. wired connections, a securewireless network connection or a secure virtual network connection(tunneling) or a combination of those.

The connection between the communication device 2 and the servicedelivery module is represented by 7. This is usually a secure, trustedconnection with high integrity.

The mobile network connection to the service information module 4, e.g.an application server, is represented by 10. This connection isgenerally authenticated and trusted.

The interface from the service delivery module 3 and the serviceinformation module 4 is represented by 8. This data connection istypically a secure connection or encrypted stream, but possibly over anopen network such as internet.

The service delivery module 3 may include an SDM 12 (“Service DeliveryManager”) configured to, in interaction with communication device 2,manage the establishment and maintain a service connection to theservice(s) in the network 1. The SDM 12 may be implemented as asoftware. The SDM 12 may further control the delivery of service relateddata, i.e. by controlling connection 8. Furthermore, the communicationdevice 2 comprises an SCC (“Service Control Client”) 11 thatcommunicates with the SDM 12 in the service delivery module 6 as well aswith the services and applications front end servers 4. The SCC 11 maybe implemented as a software.

The SDM 12 and SCC 11 software may function as follows:

The SCC is a the client implemented in a platform providing sufficientauthentication and authorization means for the service provider toprovide services that typically are associated with an billing account.The SCC authenticates and authorizes the user with services provided bythe service provider according to service and user based policiestypically depending on the agreement between the user and the serviceprovider. The SCC hence constitutes the primary mean for how thecustomer interacts with the services when the interaction requiresauthentication of the user.

The SDM in the service delivery module 3 publishes its existence to thelocal network and/or other selected destinations on the network orInternet. The publishing may be public or to selected mobile devices andclients, and possibly a combination. How and to whish the ServiceDelivery Manager is published is controlled by the Service Provider.When detected, the SDM 12 is invoked by the SCC 11 and an authenticationand authorization between the SDM and SCC 11 in order to establish aconnection and associate the SCC with an account in the SDM. When theSCC 11 is authorized, the SDM 12 publishes local service renderingcapabilities (such as audio and video devices, storage etc.) that can beused for service delivery. The SDM 12 also establishes the connection tothe service front ends 4, where information about the SCC 11 and SCC 11user is provided as well as service information and preferences based onthe local service rendering capabilities, which may be used to adapt theservice.

As discussed above, the SCC 11 is the connection between a customer'sauthenticated and authorized (typically SIM/MSISDN-based or indirectlySIM/MSISDN based) service accounts (available services, billing detailsetc.) and related or connected SDM:s 12 or service delivery modules 3.The SCC 11 tries to find and connect to service delivery modules 3continuously or according to Service Provider instructions andconfigurations (e.g. by always looking for a local service on all orcertain networks).

When detecting a new or already known service delivery module 3 (e.g. byattaching a local network where a service delivery module 3 ispublishing its existence via the SDM software 12, or by gettinginstructions by the user or Service Provider to connect to particularservice delivery module 3), the SCC 11 attempts to establish aconnection with the SDM 12. A authentication and authorization procedureis initiated, in which capabilities of available services orpresentation devices 6 is presented to the SCC 11 based on ServiceProvider and user (both SCC 11 and SMS user/owner, which may not be thesame).

The SCC 11 may now order SDM 12 to perform a service initialization,set-up or modification based on customer interaction with the SCC 11 orby settings and preferences controlled by the user or Service Provider.The SDM 12 may be fully unaware of whom the user of the SCC 11 is (e.g.meaning that no used details provisioning is performed in the SDM priorto interacting with the SCC) and the service he is attempting to render.

The service frontend 4 a serves the customer with service sessions andstreams to one or multiple network destinations. The session or streamis typically terminated in the mobile device or in the service deliverymodule 3

The service front end uses shared secret principles negotiated betweenthe SCC 11 and service frontend to authenticate service and to identifysession.

Upon the request from a SCC to prepare to deliver to deliver the serviceto a SDM, a unique key is generated for the particular SCC user, serviceand session is generated. The request may include SDM identityinformation, if such policies are applied. This key is, among otherinformation, used by the SDM in the service request and is used toassociate the particular SDM and SDM request with a SCC user that meansa customer, in order to manage policies and billing of the deliveredservice.

The service frontend 4 a delivers the service to the destinationrequesting the service, or may in some cases deliver it to a destinationbeing instructed to deliver it to.

Thus, the SCC 11 installed in a user's communication device (e.g. asmart phone) authenticates and authorizes with the users availableservices provided by or through the service provider. Several SCC 11:smay share the same service accounts (e.g. a family) and how charges forservice is booked on the customer accounts and bills. This may bemanaged by having a super user of the SCC 11 (e.g. the MSISDN/MobileAccount owner) who can add additional MSISDNs/Mobile accounts as users.Services may be consumed directly thought the mobile device (e.g. astreaming video or audio service) or through other renderingalternatives using the SCC 11 and an SDM 12.

To summarize, the method and system allows a user to use a mobile phonewith a service control client, communicating with a device embedded software in un-authenticated connected devices, to authenticate andauthorize set-up, initialization or modification of service session andapply business rules accordingly.

Detailed Flow Chart

FIG. 3 shows a detailed flowchart of an example of howsignals/information may be transferred between components in thecommunication system. In this, example, there is a policy server 330,the SCC software 331 integrated in the communication device, an eventlistener 332 within the communication device, a network (a (W)LAN/VPNnetwork) 333, a service information module in the form of an applicationserver 334, the SDM software 335 integrated in the service deliverymodule and the presentation device/rendering device 336. The method maybe implemented as follows. That is, the method may comprise one orseveral of the following steps:

301: Policy server 330 sets policies in Application Server 334, bothgeneral and user specific policies;

302: SCC 331, typically running on mobile device, contacts Policy Server330 to get policies, general and user and service specific, to apply

303: Policy Server 303 sets SCC Policies;

304: The WLAN network pilot detected by the communication device;

305: Event Manager in OS or part of the SCC software (depending onplatform) alerts the SCC 331 that an event that shall trigger search forSDM has occurred, such as a new WLAN network is discovered and/orattached to;

306: SCC 331 attempts to contact a local SDM 335 e.g. by querying alocal routed URL;

307: SDM 335 returns it's Presence as well as authentication information

308: Authentication (customer account and service authentication andauthorization) and session establishment as well as SDM 335 provideslocal properties to SCC 331, such as available presentation/renderingdevices;

309: A “Heart Beat function” used to continually (to step 319) confirmthe existence of the SCC 331. Policies for Heart Beat (e.g. frequency)and actions if lost is set in 308. The SCC-SDM Link establishment isdepicted by dotted 320 in FIG. 3;

310: SCC 331 contacts application server 334 to prepare for servicesession to be established to SDM 335 and to get the key later used forassociation;

311: Application Server 335 returns authentication details;

312: SCC 331 provide service details (e.g. address to applicationserver), session details and authentication details as well asinformation provided by user interaction to the SDM 335;

313: SDM 335 establishes session with application server 335 withdetails provided in 312 in order to associate request with SCCcustomer/account as well as details needed for service rendering (e.g.resolution, bit rate and/or other quality parameters);

314: Application server 334 initiates delivery of service;

315: SDM 335 creates local network service rendering session, e.g. usingDLNA to deliver media stream to rendering device 336;

316: Interaction with service from a non-SCC device, such as a devicerunning a browser communication directly with service controller in orwith reference to the SDM modules service, e.g. changes the content thatis being streamed;

317: An action that requires SCC approval (defined by policiespreviously provisioned) that requires approval by a SCC (e.g. if thereare additional billing to be applied or if it is a content that requiresapproval), triggers the SDM to send Approval message to SCC;

318: Approval (alt. Not Approval) message sent to SDM, if ApprovalMessage is sent, prior to the message sent to SDM the sequence 310 and311 may be executed with new service details in order to get a new keyto update session with;

319: SDM contacts Application Server 334 to get update or start newservice session (e.g. new content stream);

320: Application Server 334 updates session to SDM;

321: SDM 335 updates or creates new local network service renderingsession;

322: SDM 335 notifies SCC 331 that service is established and beingrendered, so that SCC 331 may change mode to a controller mode;

323: Event Listener 332 alerts SCC 331 that an event has taken place,which may be a reason to change the service session in the SDM 335 (e.g.terminate it or “move” it to another rendering device 336, such as tothe mobile device);

324: SCC 331 orders SDM 335 to take action according to policies and/oruser instruction;

325: SDM 335 takes action with application server 336.

Thus, the present method may only require a single customerauthentication and authorization interaction, e.g. before step 310 asdepicted by 325 in FIG. 3. In 327 the customer, or another user, uses anon SCC device to change the service, e.g. using a non Service Providerauthenticated device in the local network that via the SDM can manage aset of services by directly interact with the SDM. The CustomerInteraction in step 328 is if the interaction in step 327 requires theauthorized service account SCC to approve the change (e.g. if there arebusiness logic associated with the change).

Implementation Scenario—Video on Demand on TV Via Mobile Phone

The following implementation scenario example further illustrates theinterplay between communication device and service delivery module, i.e.interplay between the SCC and SDM software. The scenario and technicaldescription is described in relation to FIG. 1.

Scenario example: A user is at home and there are two TV:s connected tothe local network in the home. The user wishes to use the VOD service onhis phone. After selecting the movie and pressing Play on the mobiledevice, a menu is displayed asking the user if the content shall beplayed out in mobile or on TV. User selects TV, and a list of availableTV:s are presented. User selects “Living room TV”. The movie is startedon the TV, and the phone interface is transformed to a remote control.

Technical description/solution: The users has a VOD service accountassociated with the mobile subscription (SIM-card). After successfullyauthenticated himself with the PIN-code when starting the phone 2, theuser can use the service and content is billed for without anyadditional authentication procedures.

Within the service (e.g. App or HTML5 code) there is a SCC 11 that willstart listen for local SDM(s) 12 that is available. If there is a knownSDM 12 detected (a SDM 12 where the user/SCC 11 is already authorized touse) the service will register this and at certain events in the serviceacquisition flow present the customer options based on the SDM:s 12capabilities and the users (the SCC 11) preferences and rights. If thereis a SDM 12 detected that is not known, the SDM 12 is registered as avisiting SDN and the SCC 11 will act in guest mode, which means therewill be a procedure involving the local network/SDN owner beforepresenting the capabilities.

In this example, the network has two TV:s 6 configured, one being the“Kids Room” and one being the “Living Room”. The SDN also have somepreferences of each TV, saying that the “Living Room” TV supports 1080Presolution, while the “Kids Room” is a 720P TV.

When the user are in the same network with an SDN being authorized touse and using the VOD or TV service, in the user interface on the mobilephone option to present the content on a TV instead.

User selects TV when being presented the option, and then a new questionfollows asking which TV. User selects “Living Room”.

The SCC 11 now generates a unique service key combining User Data,Session Identification, Session Information (where in the stream tostart, e.g. beginning or 21 minutes from start etc.). The SCC 11 alsoincludes the preferences of the video, in this case 1080P resolution andpossibly audio quality preferences, in the key (notes that some of thisinformation or additional information may be added by the SDM 12).

The SCC 11 also provides the SDM 12 with the Service Location (e.g. anInternet URL or IP address and/or port number) or the address to acentralized service front end 4 a.

The SDM 12 sends the request to the provided address, and includes theservice key. The Service Frontend 4 a (or centralized service front end5) uses the key to associate the requesting SDM 12 with an servicesession, and indirectly with both user information used forauthentication and billing and session information used for sessionre-establishment.

A new session is set up to the SDM 12, and the SDM 12 host deviceestablishes the relevant services in order to deliver the service to therequested presentation device. Typically for VOD this is a streaming orprogressive download session using DLNA between the SDM host and the TVor Media Player connected to the network.

Turning now to FIG. 4, an embodiment of the method will be discussed.First, in step 400, the service control client (SCC) 11 searches foravailable service delivery modules (SDM) 12. At step 401, a SDM 12 isdetected. In step 402, a SCC-SDM authentication and authorization isperformed. Then, in step 403, a guest mode sequence is initiated.Thereafter, in step 404, a local presentation destination is listed inthe SCC 11. At step 405, the SCC 11 connects to a service network, whichalso includes required authentication procedures. Then, at step 406, theavailable presentation devices 6 are presented by the SCC 11, forexample, on a display of the communication device 2 and the selectedservice is initiated. At step 407, a connection between the SCC 11 andthe SDM is established. At step 408, a presentation destination isselected. At step 409, the SCC 11 requests a service identification andauthorization key from SDM 12. The service information module 4 or acentralized policy function processes the request and generates therequested key at step 410 At step 411, the identification andauthorization key is delivered to the SDM 12. The SDM 12 connects to theservice information module 4 according to information from SCC 11 andincludes key and presentation preferences at step 412. At step 413, theservice information module 4 associates the request with SCC 11 foraccounting and billing and initiates/continues service to SDM 12 adaptedaccording to preferences. At step 414, the SDM 11 presents the serviceto the presentation device 6 selected by the SCC 11.

While this specification contains a number of specific embodiments,these should not be construed as limitation to the scope of the presentinvention or of what may be claimed, but rather as descriptions offeatures specific to exemplary implementations of the present invention.Certain features that are described in this specification in the contextof separate implementations can also be implemented in combinations in asingle implementation. Conversely, various features that are describedin the context of a single implementation can also be implemented inmultiple implementations separately or in any suitable sub-combination.Moreover, although feature may be described above as acting in certaincombinations or even initially claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claimed combination may be directed to asub-combination or variation of a sub-combination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as require such operations beperformed in the particular order shown or in sequential order, or thatall illustrated operation be performed to achieve desirable results. Incertain circumstances, multitasking and parallel processing may beadvantageous. Moreover, the separation of various system components inthe implementation described above should not be understood as requiringsuch separation in all implementations, and it should be understood thatthe described program components and systems can generally be integratedtogether in a single software product or packaged into multiple softwareproducts.

1. A system for providing at least one service to a presentation devicevia a communication system, the system comprising: a communicationdevice; and a service delivery module configured to initiate anauthentication and authorization session with the communication deviceand to initiate a service session with a service information moduleserver, the service information module server comprising the at leastone service and being configured to deliver the service to at least onepresentation device configured to consume or render the service,wherein: the communication device comprises a service control clientthat is authenticated and authorized of one or multiple services fromthe service information module server and configured to detect theservice delivery module using the service control client; the servicecontrol client is configured to connect to the service informationmodule server in the communication system to access services; theservice information module server is configured to generate a uniqueservice or session and user key and provide the unique service orsession and user key to the communication device and service controlclient using authenticated and secure means upon receiving a servicerequest from the communication device, wherein the service controlclient is configured to retrieve the key from the service informationmodule server and to send the key to an authenticated and selectedservice delivery module; the service delivery module is configured to:initiate a service delivery session with the service information moduleserver using user authentication and authorization information, the key,and the service request and deliver at least one service to thepresentation device based on the service request; the communicationdevice has not previously been authorized to use the service deliverymodule; and the authentication and authorization session between theservice delivery module and the communication device comprises:initiating a guest mode session between the service delivery module andthe communication device, wherein the guest mode session comprisesreceiving authorization information of an owner of the service deliverymodule.